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Many cryptographic protocols are intended to coordinate state changes among principals. Exchange 
protocols coordinate delivery of new values to the participants, e.g. additions to the set of values 
they possess. An exchange protocol is, fair if it ensures that delivery of new values is balanced: If 
one participant obtains a new possession via the protocol, then all other participants will, too. Fair 
exchange requires progress assumptions, unlike some other protocol properties. 

The strand space model is a framework for design and verification of cryptographic protocols. A 
strand is a local behavior of a single principal in a single session of a protocol. A bundle is a partially 
ordered global execution built from protocol strands and adversary activities. 

The strand space model needs two additions for fair exchange protocols. First, we regard the 
state as a multiset of facts, and we allow strands to cause changes in this state via multiset rewriting. 
Second, progress assumptions stipulate that some channels are resilient — and guaranteed to deliver 
messages — and some principals are assumed not to stop at certain critical steps. 

This method leads to proofs of correctness that cleanly separate protocol properties, such as 
authentication and confidentiality, from invariants governing state evolution. G. Wang's recent fair 
exchange protocol illustrates the approach. 

1 Introduction 

Many cryptographic protocols are meant to coordinate state changes between principals in distributed 
systems. For instance, electronic commerce protocols aim to coordinate state changes among a customer, 
a merchant, and one or more financial institutions. The financial institutions should record credits and 
debits against the accounts of the customer and the merchant, and these state changes should be correlated 
with state changes at the merchant and the customer. The merchant's state changes should include issuing 
a shipping order to its warehouse. The customer records a copy of the shipping order, and a receipt for 
the funds from its financial institution. The job of the designer of an application-level protocol like this 
is to ensure that these changes occur in a coordinated, transaction-like way. 

State changes should occur only when the participants have taken certain actions, e.g. the customer 
must have authorized any funds transfer that occurs. Moreover, they should occur only when the par- 
ticipants have certain joint knowledge, e.g. that they all agree on the identities of the participants in the 
transaction, and the amount of money involved. These are authentication goals in the parlance of pro- 
tocol analysis. There may also be confidentiality goals that limit joint knowledge. In our example, the 
customer and merchant should agree on the goods being purchased, which should not be disclosed to the 
bank, while the customer and bank should agree on the account number or card number, which should 
not be disclosed to the merchant. 

Goal of this paper. In this paper, we develop a model of the interaction of protocol execution with state 
and state change. We use our model to provide a proof of a clever fair exchange protocol due to Guilin 
Wang [13], modulo a slight correction. 
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We believe that the strength of the model is evident in the proof's clean composition of protocol- 
specific reasoning with state-specific reasoning. In particular, our proof modularizes what it needs to 
know about protocol behavior into the four authentication properties given in Section [2j Lemmas \2.l\ - 



2.2 If any protocol achieves these authentication goals and its roles obey simple conditions on the 
ordering of events, then other details do not matter: it will succeed as a fair exchange protocol. 

A two-party fair exchange protocol is a mechanism to deposit a pair of values atomically into the 
states of a pair of principals. Certified delivery protocols are a typical kind of fair exchange protocol. A 
certified delivery protocol aims to allow A, the sender of a message, to obtain a digitally signed receipt 
if the message is delivered to B. B should obtain the message together with signed evidence that it came 
from A. If a session fails, then neither principal should obtain these values. If it succeeds, then both 
should obtain them. The protocol goal is to cause state evolution of these participants to be balanced. 

The "fair" in "fair exchange" refers to the balanced evolution of the state. "Fair" does not have 
the same sense as in some other uses in computer science, where an infinitely long execution is fair 
if any event actually occurs, assuming that it is enabled in an infinite subsequence of the states in that 
execution. In some frameworks, fairness in this latter sense helps to clarify the workings of fair exchange 
protocols [221. However, we show here how fair exchange protocols can also be understood independent 
of this notion of fairness. When we formalize Wang's protocol |[T3ll . we use an extension of the strand 
space model ifTOl in which there are no infinite executions or fairness assumptions. 

As has been long known flHl a deterministic fair exchange protocol must rely on a trusted third 
party T. Recent protocols generally follow Q] in using the trusted third party optimistically, i.e. T 
is never contacted in the extremely common case that a session terminates normally between the two 
participants. T is contacted only when one participant does not receive an expected message. 

Each principal A,B,T has a state. T uses its state to record the sessions in which one participant 
has contacted it. For each such session, T remembers the outcome — whether T aborted the session or 
completed it successfully — so that it can deliver the same outcome to the other participant. The states of 
A,B simply records the ultimate result of each session in which it participates. The protocol guides the 
state's evolution to ensure balanced changes. 

Strand space extensions. Two additions to strand spaces are needed to view protocols as solving to 
coordinated state change problems. A strand is a sequence of actions executed by a single principal in a 
single local session of a protocol. 

We enrich strands to allow them to synchronize with the projection of the joint state that is local to the 
principal P executing the strand. We previously defined the actions on a strand to be either (1) message 
transmissions or (2) message receptions. We now extend the definition to allow the actions also to be (3) 
state synchronization events. P's state at a particular time may permit some state synchronization events 
and prohibit others, so that P's strands are blocked from the latter behaviors. Thus, the state constrains 
protocol behavior. Updates to P's state may record actions on P's strands. 

We represent states by multisets of facts, and state change by multiset rewriting 0171, although with 
several differences from Mitchell, Scedrov et al. First, they use multiset rewriting to model protocol and 
communication behavior, as well as the states of the principals. We instead use strands for the protocol 
and communication behavior. Our multiset rewriting represents only changes to a single principal's local 
state. Hence, second, in our rules we do not need existentials, which they used to model selection of 
fresh values. Third, we tend to use "big" states that may have a high cardinality of facts. However, the 
big states are generally sparse, and extremely easy to implement with small data structures. 

We also incorporate guaranteed progress assumptions into strand spaces. Protocols that establish 
balance properties need guaranteed progress. Since principals communicate by messages, one of them — 
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call it A — must be ready to make its state change first. Some principal (either A or some third party) 
must send a message to B to enable it to make its state change. If this message never reaches B, B cannot 
execute its state change. Hence, in the absence of a mechanism to ensure progress, A has a strategy — by 
preventing future message deliveries — to prevent the joint state from returning to balance. 

These two augmentations — state synchronization events and a way to stipulate progress — fit together 
to form a strand space theory usable for reasoning about coordinated state change. 

Structure of this paper. Section [2] describes Wang's protocol. Two lemmas (Lemmas 2.1 and 2.2 1 
summarize the authentication properties that we will rely on. Any protocol whose message flow satisfies 
these two lemmas, and which synchronizes with state history at the same points, will meet our needs. 

Section [3] introduces our multiset rewriting framework, proving a locality property. This property 
says that state synchronization events of two different principals are always concurrent in the sense that 
they commute. Hence, coordination between different principals can only occur by protocol messages, 
not directly by state changes. We also formalize the state facts and rules for Wang's protocol, inferring 
central facts about computations using these rules. These (very easily verified) facts are summarized in 



Lemma |377) Any system of rules that satisfies Lemma [377] will meet our needs. 

Section [4] gives definitions for guaranteed progress, applying them to Wang's protocol. Lemma 4.4 



the key conclusion of Section [4j says that any compliant principals executing a session with a session 
number L can always proceed to the end of a local run, assuming only that the trusted third party is 
"ready" to handle sessions labeled L. 

In Section [5] we put the pieces together to show that it achieves its balanced state evolution goal. 
In particular, the balance property depends only on Lemmas 2.1 and 2.2 about the protocol structure, 
Lemma 3.7 about the state history mechanism, and lemma 4.4 about progress. In this way, the verification 
is well-factored into three sharply distinguished conceptual components. 



2 The Gist of Wang's Protocol 

Wang's fair exchange protocol [13] is appealing because it is short — only three messages in the main 
exchange (Fig. [TJ — and uses only "generic" cryptography. By generic cryptography, Wang means stan- 
dard digital signatures, and probabilistic asymmetric encryption such that the random parameter may be 
recovered when decryption occurs. RSA-OAEP is such a scheme. In many situations, these advantages 



will probably outweigh one additional step in the dispute resolution (see below in this section, p. 50). 

We write {|f|}* for t encrypted with the key k, and {|f|}£ for t encrypted with the key k using recov- 
erable random value r. We write h(t) for a cryptographic hash of t, and [[f]]^ for a digital signature on t 
which may be verified using key k. By this, we mean t together with a cryptographic value prepared from 
h(?) using k~ l , the private signature key corresponding to k. When we use a principal name A,B,T in 
place of k, we mean that a public key associated with that principal is used for encryption, as in or 
for signature verification, as in [[?]]a- Message ingredients such as keytag,ab_rq,ab_cf, etc., are distinc- 
tive bit-patterns used to tag data, indicate requests or confirmations, etc. Our notation differs somewhat 
from Wang's; for instance, his L is our h(L). 

Main exchange. In the first message (Fig. [I]), A sends the payload M to B encrypted with a key K, as 
well as K encrypted with the public encryption key of the trusted third party T. A also sends a digitally 
signed unit EOO asserting that the payload (etc.) originate with A. The value L serves to identify this 
session uniquely. In the second message, B countersigns h(L), EK. In the third message, A discloses K 
and the random value R used originally to encrypt K for T. B uses this information to obtain M, and also 
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A^B: LT EM " EK" EOO 
B^A: EOR 
A^B: K^R 

where: L = A~B~T~h(EMyh(K) EM = {\M\} K 

EK = {|keytag~h(L)-£|}? EOO = Jeootag~h(L)~ EK]]^ EOR = [[eortag~h(L)~ EK]]g 

Figure 1: Wang's protocol: A Successful Run 



to reconstruct EK, and thus to validate that the hashes inside EOO are correctly constructed. At the end 
of a successful exchange, each party deposits the resulting values as a record in its state repository. 

Abort and recovery subprotocols. What can go wrong? If the signature keys are uncompromised 
and the random values K,R are freshly chosen, only two things can fail. Either A fails to receive B's 
countersigned evidence EOR; or else A receives it, but B fails to receive a correct K,R. 

1. If A fails to receive EOR, then A sends the session identifier L and a signed abort request AR to T . 
T may confirm, and certify the session is aborted, sending a countersigned [[AR]]r. 

2. If B sends EOR but does not receive K,R, then B asks T to "recover" the session. To do so, B sends 
L" EK * EOO * EOR to T, inside a signed unit RR indicating that this is a recovery request. 

T can now decrypt the encrypted key EK = {| keytag"h(L)"^|}f, returning K"R. If T's attempt to 
decrypt fails, or yields a values incompatible with the session information, then no harm is done: 
A will never be able to convince a judge that a valid transaction occurred. Wang's protocol returns 
an error message that we do not show here lfT3l Fig. 3]. 

What should happen if A makes an abort request and B also makes a recovery request, perhaps because 
EOR was sent but lost in transmission? T services whichever request is received first. When the other 
party's request is received, T reports the result of that first action. The local behaviors (strands) for A,B 
in this protocol are shown in Fig. [2] The local sessions (strands) are the paths from a root to a terminal 
node; there are four paths for A and three paths for B. The solid nodes indicate messages to be sent or 
received, while the hollow nodes o indicate events in which the participants deposit results into their state 
repositories. This figure is not precise about the forms of the messages, the parameters available to each 




depEOOQ o o depATQ 



Figure 2: Initiator (A) and Responder (B) Behavior 
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Figure 3: Trusted Third Party: Abort (left), Resolve (center), and Confirm (right) Requests 



participant at each point in its run, or the parameters to the state synchronization events. For instance, 
B does not know whether a claimed EM is really of the form {|M|}^ when first receiving it, nor what 
M,K would produce the message received. However, the fairness of the protocol is largely independent 
of these details. 

A's abort request AR elicits an abort confirmation [ ARflj if it reaches T first, but it elicits a recovery 
token U EOR if fi's recovery request was received first. Likewise, B's recovery request RR elicits K"R 
if it is received first, but it elicits the abort confirmation JAR] j if A's abort request was received first. T 
must synchronize with its state to ensure that these different requests are serviced in compatible ways, 
depending on whichever arrived first. This compatibility of responses ensures that A,B will execute 
balanced state changes. 

These behaviors of the trusted third party T, together with an additional behavior concerned with 
dispute resolution, are summarized in Fig. [3] We have indicated here that T's behavior, in response to 
an abort request AR may lead either to an abort token AT, or else to evidence of receipt EOR. Now, 
the hollow nodes o guard the choice of branch. T transmits AR only after a abrt event, and EOR only 
after a frcvr event. In response to a recovery request RR from B, T may transmit K~R or an abort token 
AT; however, the former occurs only after a rcvr event and the latter only after a fabrt event. Thus, the 
essential job for T's long term state in this protocol is to ensure that if an abrt event occurs for session L, 
then a rcvr never happens for L, and vice versa. This is easily accomplished by a state-based mechanism. 

Dispute Resolution. A subtlety in this protocol concerns dispute resolution. Since A receives EOR 
before disclosing K"R, A could choose to abort at this point. A dishonest A could later choose between 
proving delivery via EOR and proving that this session aborted via the abort token AT. To prevent this, 
the protocol stipulates that a judge resolving disputes queries B or T for an abort token; it does not accept 
A's presented EOR if the abort token is also available. 

However, this is asymmetric. The abort token is used only by B (or T on fi's behalf) to dispute 
receipt. A can never use it to dispute origin [13, Sec. 4.4], because of essentially the same abuse just 
mentioned. 

For simplicity, we will assume that the judge is identical with T. When asked by A to confirm an 
EOR, T does so if the session has not aborted. When confirming an EOR, T must ensure that the session 
will never abort in the future, so that an EOR confirmation is handled similarly to a recovery request. If 
the session has already aborted, then T returns the abort token instead. 

This step may make Wang's protocol undesirable in some cases, where T may no longer be avail- 
able for dispute resolution. It is also why Wang's protocol can use fewer messages than the four that 
Pfitzmann-Schunter-Waidner proved to be needed in a fair exchange protocol with asynchronous com- 
munication ATI. 



Our Correction to Wang's Protocol. We have adjusted Wang's protocol. When B's recovery request 
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arrives after A's abort request, B receives [[AR]]r. In the original description, B receives AR itself. 

However, then a dishonest B has a strategy to defeat the fairness of the protocol. Namely, after 
receiving the first message, B does not reply to A, but immediately requests resolution from T, generally 
receiving K"R from T. When A requests an abort from T, B attempts to read this abort request off of the 
network. If successful, B has both AR and K"R. Hence, it can subsequently choose whether to insist that 
the message was delivered, using the valid E00, or whether to repudiate receipt, using the AR. 

Whether this attack is possible depends on the nature of the channel between A and T. Under the 
usual assumption that the channel is resilient in the sense of ensuring delivery, the attack is possible. If 
the channel offers both resilience and confidentiality, then the attack would be impossible. We have stip- 
ulated that B needs the countersigned [ ARjr to make this attack infeasible on the standard assumption 
of resiliency only. 

Authentication Properties of Wang's Protocol. A strand is a (linearly ordered) sequence of nodes 
n\ =>...=> rij, each of which represents either: 

Transmission of some message msg(« ! ); 
Reception of some message msg(«,); or 

State synchronization labeled by some fact, i.e. a variable-free atomic formula, E (a i, . . . ,at). 

A strand may represent the behavior of a principal in a single local session of a protocol, in which case 
it is a regular strand of that protocol, or it may represent a basic adversary activity. Basic adversary 
activities include receiving a plaintext and a key and transmitting the result of the encryption, and re- 
ceiving a ciphertext and its matching decryption key, and transmitting the resulting plaintext. We show 
transmission and reception nodes by bullets • and state synchronization nodes by hollow circles o. 

A protocol IT is a finite set of strands, which are the roles of the protocol. A strand s is an instance 
of a role p G n, if s = p ■ a, i.e. if s results from p by applying a substitution a to parameters in p. 

A bundle S3 is a finite directed acyclic graph whose vertices are strand nodes, and whose arrows are 
either strand edges=^ or communication arrows — >. A bundle satisfies three properties: 

1. Ifm^n, then m is a transmission node, n is a reception node, and msg(m) = msg(«). 

2. Every reception node n £ S3 has exactly one incoming — > arrow. 

3. If n G S$ and m^> n, then m G SS. 

Bundles model possible protocol executions. Bundles may include both adversary strands and regular 
strands. For more detail, see the Appendix. 

Using this notation, we can state two authentication properties that involve A,B. We omit a proof, 
which use digital signatures in an extremely routine way, given a precise statement of the protocol. 

Lemma 2.1 1. Suppose S3 is a bundle in which B's private signature key is uncompromised, and 
that, in S3, A reaches a node marked depEOR on a strand with parameters A,B, T,M,K,R. Then 
B has executed at least the first two nodes of a responder strand, transmitting EOR, on a strand 
with matching parameters. 

2. Suppose S3 is a bundle in which A 's private signature key is uncompromised, and that, in S3, B 
reaches a node marked depEOO or depAT on a strand with parameters A,B, T, EM, EK. Then 
A has executed at least the first node of an initiator strand, transmitting EOO, on a strand with 
matching parameters. 

Two authentication properties involving T are also routine applications of rules for digital signatures. 
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Lemma 2.2 1. Suppose 83 is a bundle in which A and T 's private signature keys are uncompromised, 
and that, in 8§, A reaches a node marked depAT. Then T has completed a strand transmitting AT 
with matching parameters. 

2. Suppose 8$ is a bundle in which A and T 's private signature keys are uncompromised. If, in 8%, B 
reaches a node marked depAT, then: 

(a) A has reached the second node of an aborting strand, transmitting AR, on a strand with 
matching parameters. 

(b) T has reached node transmitting AT in response to a recovery query RR with matching 
parameters. 

If instead B reaches a node marked depEOO then either A has transmitted K"R, or else T has 
transmitted K~R. 



Clause (2b I is the part of Lemma 2.2 that would be untrue without our adjustment to Wang's protocol. 



If B receives only AR, then Clause (2ai holds, but not necessarily Clause ( |2b| ). This means that T's state 
might not reflect the abort. 



3 Protocol Behavior and Mutable State 

We formalize state change using multiset rewriting (3]|7l. Strands contain special state synchroniza- 
tion events that synchronize them with the state of the principal executing the strands, as formalized in 
Definition 13 .5 1 

3.1 Multiset rewriting to maintain state 

We formalize mutable state using MSR. A state is a multiset of ground facts F(t\,. . . ,?,•), where each 
F(t\ , . . . , ti) is the application of a predicate F to some sequence t\ , . . . , t\. These arguments are messages, 
and thus do not contain variables; hence, a state £ is a multiset of ground facts. We write a vector of 
messages t, . . . ,t' in the form 7. 
A rewrite rule p takes the form: 

D(r Q \...,F(h) E MG{i 3 ),...,H{u) 

where now the arguments io,...,is are vectors of parametric message terms that may contain variables. 
When replacing these variables with messages, we obtain ground facts. Unlike [7], we label our transi- 
tions with a fact E(Pi), but we do not require existential quantifiers in the conclusions of rules. We will 
assume that every variable free intoXi^fy is also free in ?2- Thus, a ground instance of E{Pi) determines 
ground instances of all the facts D(Fq), . . . ,F(t{),G(t^),. . . ,H(t\). 

We write lhs(p) forD(^),...,F(^); we write rhs(p) for G(f 3 ), . . . ,H(t A ); and lab(p) for 
A rule stipulates that the state can change by consuming instances of the facts in its left-hand side, 
and producing the corresponding instances of the facts in its right hand side. These sets of facts may 
overlap, in which case the facts in the overlap are required for the rule to apply, but preserved when it 
executes. A rewrite rule p applies to a state £q when, for some substitution a, 



I = 4,D(f -a),...,F(^-a), 
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i.e., £o is the multiset union of E with instances of the premises of p under a. The result of applying p 
to Zo, using substitution a, is 

EkG$.(T),...,#(5-CT). 

Since this is a state, the facts G(Tj, - a),... ,H{u ■ a) must again be ground; i.e. a must associate the 
variables of t 3 , ■ ■ -,h with variable-free messages. There may be variables in . . that do not occur 
in to, . . . ,t[. These variables take values nondeterministically, from the point of view of the prior state. In 
an execution, they may be determined by protocol activities synchronized with the state. Our assumption 
about the variables in E(Pi) ensures each ground instance of E(Pi) determines a a under which f 3 , . . . ,t 4 
become ground, and ?2 so to speak summarizes all choices of values for variables. 

Definition 3.1 Let p = D(f ), ■ ■ ■ ,F(h) ^ G(f 3 ),. . . ,H(u). 

Zo £1 fl p,cr transition from Zo to Ei //f Zo,Zi ore ground, and there exists a Z such that 
Z = E ,D(/o • a), . . . ,F{ti ■ a) and U = Z' ,G(f 3 • a), . . .,H(f 4 ■ a). 

A computation is finite path through states via transitions; i.e. 'rf = Zo P —> ^i ■ ■ ■ 
^ is over a set of rules R if each p, € R. When no ambiguity results, we will also write & in the form: 

^ „ Eo('o-ob) v Bi(ii-tTi) Ej(t r Oj) 

<5 — Lo > Li * ... > ^j+l- 

We write first(^) for Zo and last(^) for Z 7 - + i. 

In this lemma, we interpret \,U,C as the multiset difference, union, and subset operators. 
Lemma 3.2 Suppose (Ihs(pi) • Ci) U (Ihs(p2) • 02) Q Zo. IfLo P -^—l Zi ^5 Z2, then 

□ v / v P2- CT 2 v/ p\-o\ „ 
dZ.j . Lo > 2*i > 2.2- 

Proo/ Zi = (Z () \ (Ihs(pi) • ai)) U (rhs(pi) • di), and Z 2 = (Zj \ (lhs(p 2 ) • a 2 )) U (rhs(p 2 ) • a 2 ). We 
define Z\ = (Z \ (lhs(p 2 ) • a 2 )) U (rhs(p 2 ) • a 2 ). By the assumption, Z 2 = (Z'j \ (Ihs(pi) • 0\)) U (rhs(pi) ■ 
CTl). □ 

3.2 Locality to principals 

In our manner of using MSR, all manipulation of state is local to a particular principal, and coordination 
among different principals occurs only through protocol behavior represented on strands. 

Definition 3.3 A set of rewrite rules R is localized to principals, if, for a single distinguished variable p, 
for every rule p G 7?, for each fact F(t) occurring in p as a premise or conclusion, F(J) is of the form 
F(p,t>). 

The principal of a transition Zo — -> Zi is p ■ o. 

Thus, only the principal of a transition Zo — Zi is affected by it. Transitions with different principals 
are always concurrent. \i p ■ C\ ^ p ■ 02 and (pi,ai),(p2,02) can happen, so can the reverse, with the 
same effect: 

Corollary 3.4 Let R be localized to principals, with p\ , P2 £ R, and pO\ 7^ p • Ci_. IfLo ^5 Zi P — > Z2, 
thenLo — > L l — > Z2, for some h\. 

Proof. Since p ■ G\ / p ■ 02, the facts on the right hand side of p\ ■ 0\ are disjoint from those on the 
left hand side of P2 • 02. Hence, P2,d2 being enabled in Zi, it must also be enabled in Zo. Hence, 
(Ihs(pi) • Ci) U (Ihs(p2) • 02) C Zo, and we may apply Lemma 3.2 □ 
The following definition connects bundles with computations. 
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Definition 3.5 Let R be localized to principals. 

1. An eventful protocol IT is a finite set of roles containing nodes of three kinds: 

(a) transmission nodes +t, where t is a message; 

(b) reception nodes —t, where t is a message; and 

(c) state synchronization events Ei(p,t). 

We require that ifEi(p,T) and Ej(p' ,t') lie on the same strand, then p = p'. If a strand s contains 
a state synchronization Ei(p,T), then p is the principal of s. 

2. Suppose that £3 is a bundle over the eventful protocol IT; ^ is a finite computation for the rules 
R; and is a bijection between state synchronization nodes of £3 and transitions E0i) of^. £3 is 
compatible with ^ under <p iff 

(a) The event Ej(p,7) at n is the label on 0(«), and 

(b) no ^ag n\ implies (j>(no) precedes (j)(ni) in c €. 

3. An execution ofYL constrained by R is a triple (£3,^, (j)) where £3 is compatible with ^ under (j). 

If (£3, 'to, (j)) is an execution, then it represents possible protocol behavior £3 for IT, where state-sensitive 
steps are constrained by the state maintained in ^ . Moreover, the state <?f evolves as driven by state 
synchronizations occurring in strands appearing in £$. The bijection <p makes explicit the correlation 
between events in the protocol runs of £$ and transitions occurring in ^ . 

3.3 States and Rules for Wang's Protocol 

Trusted Third Party State. Conceptually, the trusted third party To maintains a status record for each 
possible transaction it could be asked to abort or recover. Since each transaction is determined by a label 
J/? m (hm,hk) = A"B"T"hm"hk, where T = To, it maintains a fact for each such value. This fact indicates 
either (1) that the no message has as yet been received in connection with this session; or (2) that the 
session has been recovered, in which case the evidence of receipt is also kept in the record; or (3) that 
the session has been aborted, in which case the signed abort request is also kept in the record. Thus, the 
state record for the session with label I = J? m (hm, hk) is a fact of one of the three forms: 



Naturally, a programmer will maintain a sparse representation of this state, in which only the last two 
forms are actually stored. A query for £ that retrieves nothing indicates that the session i is as yet unseen. 

Four types of events synchronize with T's state. The event rcvr(^,e) deposits a recovered (£,e) fact 
into the state, and requires the state to contain either an unseen(£) fact or a preexisting recovered (£,e) 
fact with the same e, which are consumed. 



unseen(r,^) 



recovered [T,l, EOR) 



aborted(r,^,AT) 



unseen(r, i) 



rcvr(T,e,e) 



*■ recovered (T,£,e 







recovered (T,£,e 



rcvr(T,e,e) 



recovered (T,£,e) 



The second of these forms ensures that repeated rcvr events succeed, with no further state change. 
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The event abrt(T,£,a) deposits a aborted(r,^,a) fact into the state, and requires the state to contain 
either an unseen(T,£) fact or a preexisting aborted(T,£,a) fact, which are consumed. 

abrt(r/,a) 

unseen(r,«) >- aborted (T, £, a) 

aborted (T,£, a) ^ ' ' > aborted (T, £, a) 

Finally, there is an event for a forced recover frcvr(T,£,e) and one for a forced abort fabrt(r,^,a). These 
may occur when the recovered fact [or respectively, the aborted fact] is already present, so that attempt 
to abort [or respectively, to recover] must yield the opposite result. 

frcvr(T/,e) 

recovered (T,£,e) > recoverea(T,£,e) 

fabrt(T,e,a) 

aborted (T,£, a) >■ aborted(r,£,a) 

Definition 3.6 A G W initial state is a multiset £ such that: 

1. No fact recovered(r,£,e) or aborted (T,£, a) is present in £; 

2. For all £, the multiplicity | unseen (T,£)\z of unseen (T,£) in £ is at most 1 . 

^ is a GW computation if it is a computation using the set Rw of the six rules above, starting from a G W 
initial state £(). 

There are several obvious consequences of the definitions. The first says that the multiplicity of facts 
for a single session £ does not increase, and initially starts at or 1, concentrated in unseen(r,£). The 
next two say that a recovered (T,£,e) fact arises only after a rcvr(T,£,e) event, and a aborted(r,£,a) fact 
after an abrt(T,£,e) event. Then we point out that a rcvr(T,£,e) event and an abrt(T,£,a) event never 
occur in the same computation, and finally that a rcvr(T,£,e) event must precede a frcvr(r,£,e) event, 
and likewise for aborts and forced aborts. 

Lemma 3.7 Let ^ = £o ^i . . . i Ey+i be a GW computation. 

1. For any £ and i < j + 1, the sum over all e,a of the multiplicities of all facts unseen (T,£), 
recovered (T,£,e), aborted(r,^,a) is unchanged: 

1 > | unseen(r,£)|i: = ^[\unseen(T,£)\^ + \recoyered(T,£,e)\z i 

a,e 

+ |aborted(r,^,a)| Ei ). 

2. | recovered(r,^,e)|j:, = 1 iff 3k < i, lab(pyt) • o k = rcvr(T,£,e). 

3. | aborted(r,^,a)|j: ( = 1 iff 3k < i, \ab(p k ) ■ o k = abrt(T,i,e). 

4. IfBi, lab(p,) • a, = rcvr(T,£,e), then Vk,a, \ab{p k ) ■ o k / abrt(r,£,a). 

5. If3i, lab(p,) • a, = hcvr(T,£,e), then 3k < i, lab(p^) • G k = rcvr(T,£,e). 

6. If3i, lab(p,) • o, = fabrt(r,^,a), then 3k < i, lab(p^) • o k = abrt(r,^,a). 

7. If unseen (T,£) 6 Lq, then every session £ request to T in Fig. plcan proceed on some branch. 
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Initiator and Responder State. The initiator and responder have rules with empty precondition, that 
simply deposit records values into their state. These records are of the forms eor(A,^, EOR,M,K,R), 
eoo(B,£, E00, M,K,R), and aborted(P,£, [[[[ab_rq "h(^)]] A ]] r ). The last is used both by the initiator and 
the responder. The rules are: 

depEOR( Al,eM,K,R) 

— — *eor(A,£,e,M,K,R) 



depEOO(B,te,M,K,R) 

— ^— — i- eoo(B,£,e,M,K,R) 



depAT(P,f,o) 

— — — aborted(P,£,a) 



4 Progress Assumptions 



We introduce two kinds of progress properties for protocols. One of them (Def. 4.1 1 formalizes the idea 
that certain messages, if sent, must be delivered to a regular participant, i.e. that these messages traverse 
resilient channels. The second is the idea that principals, at particular nodes in a strand, must progress. 
We will stipulate that a principal whose next step is a state event, and the current state satisfies the right 
hand side of the associated rule, then the principal will always take either that step or another enabled 



step. It is formalized in Def. 4.3 



Definition 4.1 Suppose that IT is a protocol, and G is a set of nodes s j i such that for all s j i £ G, s is 
a role oj TI and s J i is a transmission node. Then G is a set of guaranteed delivery assumptions for IT 

A transmission node n on a strand s' is a guaranteed delivery node for IT, G if it is an instance 
n = (s I i) ■ a of the i node of some role s G IT, and s j. i G G. 

Let 38 be a bundle for IT. 38 satisfies guaranteed delivery for G if for every guaranteed delivery node 
n G 3$, there is a unique node m S 38 such that n -^gg m, and moreover m is regular. 

There are three ingredients here. First, n's transmission should be received somewhere. Second, it 
should be received at most once. Finally, the recipient should be regular. For our progress condition, 
however, we want a stronger condition than this guaranteed delivery property. In particular, we also want 
to stipulate that if a guaranteed transmission node can be added, and its message can be delivered, then it 
will be added together with one matching reception node. However, for this we need to define the right 
notion of "can." Thus, we define the unresolved nodes of a bundle, using n ~ m, which means that n and 
m are similar in the following sense: 

Definition 4.2 Regular nodes n' ,m' are similar, written n' ~ m 1 , if the initial segments of the strands they 
lie on, n => . . . n' and m . . . =>- m', (1) are of the same length; (2) corresponding nodes have the 
same direction ( transmission, reception, or state synchronization ); and (3) corresponding nodes have the 
same message or state synchronization event label. 

A regular node no is unresolved in 38 if no =>• n\ and for some n' Q G 38, n' ~ no but for all n\ £ 38, 
n' i> n\. 

A node no is unresolved if it can progress to some n\, but a similar n' G 38 has not progressed. Thus, 
substituting a similar node for a node in 38, we obtain a bundle 38' to which this transition may be added. 



Definition 4.3 Let $ = {38^,^) be an execution ofH,G constrained by R. $ is a stable execution if 

(1) 38 satisfies guaranteed delivery for G; (2) there are no enabled transmission edges for 38; and (3) 
there are no enabled state edges for S, where we define enabled transmission and state edges as follows: 
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1. no => n\ is an enabled transmission edge for £ if: 

(a) no is unresolved in S3; 

(b) n\ is a guaranteed delivery node; and 

(c) there is a regular reception node ni\ with msg(mi) = msg(?ii) where either 

i. ni[ is the first node on its strand, or else 

ii. mo where mo is unresolved in S3. 

2. no^n\ is an enabled state edge for <§ if: 

(a) no is unresolved in S3; 

(b) n\ is a state synchronization node with event E{p,T); and 

(c) 3p E R and a s.t. lab(p) • a = E(p,t) and lhs(p) • a C last(^). 

In a stable execution, each strand has reached a "stopping point," where no transmission with guaranteed 
delivery (and matching reception) is waiting to happen, and no state synchronization event is waiting 
to happen. A protocol IT and rules R drive the evolution of state through states satisfying some bal- 
ance property *P means that when £ = {SS,^,^) is a stable execution for H,R, and *P(first('^ 7 )), then 
piaster)). 

Guaranteed Delivery for Wang's Protocol. The guaranteed delivery assumptions for Wang's protocol 
are not surprising. They are the messages transmitted on resilient channels between the principals and 
the Trusted Third Party. These are A's transmission of AR and fi's transmission of RR in Fig[2j and T's 
six transmissions in Fig. [3j 

Progress in Wang's Protocol. No protocol can protect principals that do not follow it. Thus, correctness 
conditions are stated for stable executions in which at least one of A,B comply with the protocol. We 
also assume that the trusted third party T merits trust, and also complies with the protocol. A principal 
P is compliant in a bundle S3 if P E {A,B} and P's signing key is used only in accordance with Tlcw in 
S3; or if P = T, the trusted third party, and T's signing and decryption keys are used only in accordance 
with How hi S3. 

Henceforth, let £ = {S3, c to, <p) be a GW-execution. Let Zo and Zy be the first and last states of For 
each label I occurring in an A initiator strand or a B responder strand in S3, assume that u nseen (T, I) E So- 

Lemma 4.4 (G W Progress) Let S be a set of principals compliant in <§, with T E S. There exists a stable 
S" = {S3 1 ^ , (j>'), such that (I) S" extends <§; (2) the principals S are compliant in $' ; and (3) p = T if 
p is the principal of any regular strand of S3' that does not appear in S3. 

If s is an initiator or TTP strand with S3' -height > 1, then its SB' -height is its full length. If s is a 
responder strand with S3' -height > 2, then its S3' -height is its full length. 

Proof. Inspecting Fig. [2] we see that an initiator strand of ^-height 1 may progress by sending a 
guaranteed-delivery AR, which is also possible for an initiator strand that has received EOR. The guar- 
anteed delivery rule requires the first node of some T strand receiving AR. By Lemma 3.7 Clause [7] 



some T state synchronization event is enabled, after which T makes a guaranteed-delivery transmission. 
Thus, A receives AT or EOR. Since its deposit state synchronization events have empty precondition, A 
will complete its strand. The analysis for responder strands is similar. □ 
That is, we may regard starting a strand in S3, or — for a responder — sending its EOR message, as a 



promise to progress regularly in the future, as required by Def. 4.3 Moreover, new strands that begin in 



f, not S3, belong only to the TTP T. In S3' , these strands have terminated by reaching its full length. 
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5 Correctness of Wang's protocol 

We now summarize our conclusions in a theorem that puts together the different elements we have 
discussed. 

Theorem 5.1 Let $ = (^,^,0) be a stable GW '-execution with unseen(r,f) £ Zo- 

1. If eoo(B,£, EOO, M,K,R) eLjbutgLo, then for compliant A, eor(A,£,EOR,M,K,R) £ Lj. 

2. Ifeor(A,£,EOR,M,K,R) £ Lj but gTo, then for compliant B, either eoo(B,£, EOO, M,K,R) £ I ; - 
or eZse aborted(S,^, AT) £ Lj. 

Proof. 1. By the state rules for B, depE00(5, £,e,M,K,R) has occurred in ( £. Hence, B has reached 
one of the two depEOOQ nodes shown in Fig [2} with parameters B,£,e,M,K,R. Hence, by Lemma 2.1 



Clause 2, A has executed at least the first node of an initiator strand, transmitting EOO, on a strand with 
matching parameters. Since £ is stable, by Thm |4.4[ A's strand has full height. Thus, either depEORQ 
or depAT() has occurred with matching parameters. 

However, if depATQ has occurred at A, then A does not transmit K~R. Moreover, since A has 



received AT, T has transmitted AT by Lemma 2.2 Clause 1. Hence, by Lemma 3.7 Clause HI c € does 



not contain a rcvr(T,£,e) event. Thus, contrary to Lemma 2.2 Clause 2, T has not transmitted K~R. 
Hence, depEORQ has occurred. 

2. By the state rules for A, depEOR(A, £,e,M,K,R) has occurred in ^ . Hence, A has reached one 
of the two depEORQ nodes shown in Fig [2} with parameters A,£,e,M,K,R. Hence, by Lemma 2.1 



Clause 1, B has executed at least the first two nodes of a responder strand, transmitting EOR, on a strand 
with matching parameters. Since <f is stable, by Thm. |4.4[ B's strand has full height. Thus, either 
depEOOQ or depAT() has occurred at B with matching parameters. □ 

Conclusion. This formalism has also been found to be convenient to model the interface to a crypto- 
graphic device, the Trusted Platform Module, which combines cryptographic operations with a repository 
of state. Thus, it appears to be a widely applicable approach to the problem of combining reasoning about 
cryptographic protocols with reasoning about state and histories. 
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A Messages and Protocols 

In this appendix, we provide an overview of the current strand space framework; this section is essentially 
identical with part of I0. 

Message Algebra. Let Ao be an algebra equipped with some operators and a set of homomorphisms 
77 : Ao — > Ao- We call members of Ao atoms. 

For the sake of definiteness, we will assume here that Ao is the disjoint union of infinite sets of nonces, 
atomic keys, names, and texts. The operator sk(a) maps names to (atomic) signature keys, and K^ 1 maps 
an asymmetric atomic key to its inverse, and a symmetric atomic key to itself. Homomorphisms 77 are 
maps that respect sorts, and act homomorphically on sk(a) and K . 

Let X is an infinite set disjoint from Ao; its members — called indeterminates — act like unsorted vari- 
ables. A is freely generated from AoUX by two operations: encryption {^ol}^ and tagged concatenation 
tag t<ft\, where the tags tag are drawn from some set TAG. For a distinguished tag nil, we write nil t<ft\ 
as fo'fi with no tag. In {^oIK > a non-atomic key t\ is a symmetric key. Members of A are called messages. 

A homomorphism a = '■ A — > A consists of a homomorphism f] on atoms and a function 

% : X — > A. It is defined for all t G A by the conditions: 

a-a = T](a), ifaeAo {\to\}tr « = {\to ■ cc\}t v a 

x-a = x(x), ifxeX tagt(ft\-a = tagtQ-a"t\-a 

Thus, atoms serve as typed variables, replaceable only by other values of the same sort, while indetermi- 
nates x are untyped. Indeterminates x serve as blank slots, to be filled by any %(x) € A. Indeterminates 
and atoms are jointly parameters. 

Messages are abstract syntax trees in the usual way: 

1. Let £ and r be the partial functions such that for t = |} ?2 or t = tag t\ *ti, l(t) = t\ and r{i) = t2', 
and for t G Ao, £ and r are undefined. 

2. A path p is a sequence in {£, r}*. We regard p as a partial function, where () = Id and cons(/,/?) = 
pof. When the rhs is defined, we have: 1. ()(?) = t; 2. cor\s(£,p)(t) = p(£(t)); and 3. 
cons(r,p)(t)=p(r(t)). 

3. p traverses a key edge in t if p\{t) is an encryption, where p = p^' (r)^ p2- 
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4. p traverses a member of S if p\{t) G S, where p = p\^P2 and P2 7^ (). 

5. to is an ingredient of t, written to C t, if to = p(t) for some p that does not traverse a key edge in t. 

6. ?o appears in t, written to <C t, if ?o = p(f) for some p. 

A single local session of a protocol at a single principal is a strand, containing a linearly ordered sequence 
of transmissions, receptions, and state synchronization events that we call nodes. In Figs. [2]-[3j the 
columns of nodes connected by double arrows => are strands. 

Assumption 1 Strands and nodes are disjoint from A. 

A message to originates at a node n\ if (1) n\ is a transmission node; (2) to E msg(ni); and (3) whenever 
n n u to % msg(n ). 

Thus, to originates when it was transmitted without having been either received, transmitted, or syn- 
chronized previously on the same strand. Values assumed to originate only on one node in an execution — 
uniquely originating values — formalize the idea of freshly chosen, unguessable values. Values assumed 
to originate nowhere may be used to encrypt or decrypt, but are never sent as message ingredients. They 
are called non-originating values. For a non-originating value K, K ^t for any transmitted message t. 
However, K <C {|?o|}a: E t possibly, which is why we distinguish C from <C. See |jT0j [6j for more details. 

Protocols. A protocol IT is a finite set of strands, representing the roles of the protocol. Their instances 
result by replacing A,B,K,M, etc., by any names, symmetric key, text, etc. Each protocol also contains 
the listener role Lsn[y] with a single reception node in which y is received. The instances of Lsn[y] are 
used to document that values are available without cryptographic protection. 

Indeterminates represent messages received from protocol peers, or passed down as parameters from 
higher-level protocols. Thus, we require: 

If n\ is a node on p G IT, with an indeterminate x <C msg(«i), 

then 3«o, «o «i, where no is a reception node and x C msg(no)- 

So, an indeterminate is received as an ingredient before appearing in any other way. We say that a strand 
s is in 38 if s has at least one node in 88. 

Proposition A.l Let 88 be a bundle. -<ag is a well-founded partial order. Every non-empty set of nodes 
of 88 has <ag-minimal members. If a C msg(n) for any n £ 88, then a originates at some m <$g n. 



